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(54) SYSTEIUI AND IMPLEIVIENTATION IWETHOD OF CONTROLLED MULTICAST 



(57) A system and metliod for implementing control- 
led multicast, wlierein comprises Ethernet switcli 1 , mul- 
ticast router 2, as well as portai servers and AAA server 
4 that connect with the multicast router, where Ethernet 
switch 1 connects with each hosts of user in a downlinic, 
in an uplinl< connects with multicast router 5 and imple- 
ments multicast switch of layer 2; portal server 3 is used 
as an interface for access authentication of the user, 
AAA server 4 is used to store configuration of user priv- 
ilege for joining in a multicast group; multicast router 2 
connects with multicast routers of other systems in the 
uplinl<, and cooperates together with AAA server 4 to 
completes privilege authentication forthe user when he 
joins in the multicast group, distributes a control com- 
mand according to results of the authentication, and 
controls forwarding of the multicast made by Ethernet 
switch 1 . The method according to the present invention 
can resolve better the authenticated authorization and 
controlled problem of the sender and receiver joining in 
the multicast, and can identify the host joining in or leav- 
ing the multicast group expediently, actively stop the us- 
er's group member identification through offline without 
any influence on the fonwarding efficiency. 
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Description 

Field of the Technology 

[0001] The present invention relates generally to an 
IP multicast technique, and more particularly, to an IP 
controlled multicast system and thereof implementation 
method in a telecommunication technological field. 

Bacitgrouncl of the Invention 

[0002] Along with maturation of the IP multicast tech- 
nique, application of the IP multicast Is becoming in- 
creasingly widespread. However, in an IP model, any 
host can join into any of the multicast groups without 
limitation, and until now, there are no effective methods 
that can solve the controlled join problem of a host in an 
IP multicast network. 

[0003] It is well known that, In the IP multicast model, 
a multicast group comprises senders and receivers, 
which are connected with a multicast Distribution Tree. 
When the sender needs to send data to a certain group, 
the host will transmit the data directly to the multicast 
router which connects with the host, and the multicast 
router then forwards the data to the multicast receiver 
via the multicast Distribution Tree without any limitation 
on the host that sends messages. As soon as a host 
wants to get data from a certain multicast group, the host 
sends a Member report message to its connected mul- 
ticast router according to an Internet Group Manage- 
ment Protocol (IGMP for short), and the multicast router 
will then forward the data of the multicast group to the 
host after the Member report message is processed; 
similarly, the multicast router will not make any limita- 
tions on the host which wants to obtain the multicast 
message. With the development of commercialization 
In IP multicast application, multicast security has be- 
come an urgent problem that should be solved as soon 
as possible, a key of which is prohibiting unauthorized 
receivers to receive the multicast messages. 
[0004] Norihiro Ishikawa et al proposed an IGMP ex- 
tension protocol "IGMP Extension for Authentication of 
IP Multicast" (published at draft-ietf-idmr-igmp-auth- 
01 .txt) and a RADIUS extension protocol "RADIUS Ex- 
tension for Multicast Router Authentication", (where, the 
RADIUS is abbreviation of Remote Authentication Dial 
In User Service, which Is published at draft-ya- 
manouchi-RADIUS-ext-OO.txt), with which authentica- 
tion for the sender and the receiver can be made. 
[0005] The IGMP extension protocol above is exten- 
sion made based on an IGMP V2 (version 2), in which 
authentication function for the multicast sender and the 
multicast receiver is added, to prevent unauthorized us- 
ers from sending/receiving multicast packets. The IGMP 
extension protocol adopts a Challenge-Response 
mechanism that is similarwith a PPP authentication pro- 
tocol CHAP (Challenge Handshake Authentication Pro- 
tocol) such as thrice handshakes, encrypted password 



2 

to make user authentication. Once a multicast sender 
begins to transmit IP multicast messages, an Ingress 
router may make authentication for it with the challenge- 
response mechanism. The Ingress router may utilize a 

s RADIUS as an authentication server during the authen- 
tication process. When the authentication is successful, 
the multicast packets from the sender will be forwarded 
by the Ingress router to the IP multicast network and 
then to an Egress router. When the authentication is 

10 failed, the Ingress router will discard the multicast pack- 
ets silently. Authentication made by the Egress router is 
needed when the multicast receiver wants to receive I P 
multicast messages. The Egress router may also adopt 
the RADIUS as the authentication server during the au- 

15 thenticatlon process. Once the authentication suc- 
ceeds, the Egress router begins to transmit the IP mul- 
ticast packets to the receiver; Otherwise, no IP packets 
will be fonwarded to the receiver. 
[0006] The RADIUS extension protocol above is ex- 

20 tension made in the basis of the RADIUS, which may 
make authentication for the multicast sender and the 
multicast receiver at the Ingress router and the Egress 
router, and track multicast data of the user to provide 
data for service management. The authentication server 

25 must be able to provide the authentication service re- 
quired by the multicast router, meanwhile, the multicast 
router might provide identification (User ID) and pass- 
word of the user In order to Insure security, authentica- 
tion process must be based on the challenge, and every 

30 service must be authenticated, for instance, authentica- 
tion must be made on the address of each multicast 
group. The reason is that multicast packets are trans- 
mitted according to the group address, and the authority 
of the user should be correlative with the group. Except 

35 for some additional attributes, other requirements are 
just the same with that of the RADIUS. Whether or not 
the multicast router makes RADIUS authentication is 
optional. 

[0007] When being configured to support RADIUS 
40 charging, the multicast router will generate a charging 
start message at the beginning of the multicast service, 
and send to a RADIUS multicast charging server, 
wherein the message describes type of the service. Af- 
ter receiving the charging start message, the RADIUS 
45 multicast charging server will return a confirmation mes- 
sage. When the multicast service is completed, the mul- 
ticast router also generates a charging end message, 
and sends the message to the RADIUS multicast charg- 
ing server. After receiving the message, the RADIUS 
50 multicast charging server will also return a confirmation 
message, wherein the charging end message describes 
type of the service. 

[0008] After receiving an IGMP Join request, the mul- 
ticast router sends an Access-Request message to a 
55 RADIUS multicast authentication server to ask for au- 
thentication. After receiving a response from the RADI- 
US multicast authentication server that Indicates the au- 
thentication is successful, the multicast router sends an 
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Account-Requesl/Start message to the RADIUS multi- 
cast charging server to start charging. While receiving 
an iGiVIP Leave request, the muiticast router may send 
an Account-Request/Stop message to the multicast 
charging server to terminate the charging, if no re- 
sponse is returned to the multicast router within certain 
period of time, the RADIUS extension protocol advices 
the multicast routerto resend the Access- Request mes- 
sage severai times continuously. The muiticast charging 
server can also ask other servers (such as a proxy sev- 
er) to Impiement the charging function. Whiie being un- 
able to record charging message successfuily, the mui- 
ticast charging server cannot send an Accounting- Re- 
sponse confirmation message to the muiticast router. 
[0009] iVIoreover, CISCO inc develops a CiSCO 
Group Management Protocoi (named CGiWPfor short), 
which is used for soiving a muiticast fonward fiooding 
probiem under circumstance of an Ethernet switch; with 
theCGMP, a iayerS equipment can controi a forwarding 
table of a layer 2 equipment, which provides a mean to 
control authorized reception in a certain extent. As 
shown in Fig.1, GGIVIP message Is composed by 
number of edition (Ver, 4 bits). Type (4 bits). Reserved 
part (2 bytes), number of GDA/USA pairs In the mes- 
sage (Count, 1 byte) and severai GDA/USA pairs. 
Wherein, the GDA (Group Destination Address) is a 
i\^AC muiticast address that corresponds to an iP ad- 
dress of the muiticast group that the host wants to join 
in; the USA (Unicast Source Address) is a MAC address 
of the host which wants to join in the muiticast group and 
Is a unicast address. 

[0010] As shown in Fig. 2, process of theCGMP is as 
follows, Host 1 sends an IGMP Membership Report 
message to join In multicast group 224.1 .2.3; the switch 
uses MAC address 0100.5e01.0203 that corresponds 
to the address of multicast group resoiuted from the 
message to search Its matching temns in a CAM (CAM: 
Content-Addressable Memory) table; because there Is 
no its matching terms in the CAM tabie, the message Is 
fonwarded (fiooding) to ali the ports, including a CPU and 
multicast routers, Wherein, after receiving the IGMP 
Membership Report message, the muiticast router, be- 
sides Implementing routine disposal, produces a CGMP 
Join message and muitlcasts to the switch, which com- 
prises the MAC address (USA: 0080.c7a2.1093) of the 
host which applies to join in the multicast group, the 
MAC address (GDA: OlOO.SeOI .0203) of the multicast 
group which is applied to join in, as well as a Join com- 
mand field. After receiving the CGMP Join message, the 
switch may add an entry in the CAM table, which in- 
cludes the GDA (01 OO.SeOI .0203 in the drawings), the 
port number (marl<ed as 2 in the drawings) of the host 
which wants to join In the multicast group, and the port 
number (marked as 1 in the drawings) of the multicast 
router that connects with the switch. Wherein, the port 
number of the host Is obtained through searching the 
USA. 

[001 1] As shown in Fig.3, when the fourth host 4 joins 



in multicast group 224.1.2.3, it will similarly send the 
IGMP Membership Report message to the switch; after 
having resoiuted the IP address of the destination group 
is 224.1 .2.3, the switch may find the entry after search- 

s ing in the CAM table with the corresponding MAC ad- 
dress 0100.5e01 .0203 of the IP address , and forward 
the message to port 1 and 2 (which are the multicast 
router and host 1 respectlveiy) listed in the entry. After 
receiving the IGMP Membership Report message, be- 

10 sides making routine disposal, the multicast router pro- 
duces a CGMP Join message and muitlcasts to the 
switch, which comprises the MAC address of the host 
which applies to join In the multicast group (USA: 
0080.c7b3.2174) and the MAC address (GDA: 

15 01 OO.SeOI .0203) of the multicast group which is applied 
to join in, as well as the Join command field. After re- 
ceiving the CGM P Join message, the switch may obtain 
an entry through searching In the CAM table with GDA, 
and get port numbers of host 4 via searching In the CAM 

20 table with USA, meanwhile add port number 5 into the 

[0012] Although the Synergic extension method be- 
tween the IGMP and the RADIUS above has solved the 
authorization problems for the sender and the receiver, 
25 some shortcomings still exist. 

(1) Once a host join in the multicast group success- 
fully in a shared network, ali the other hosts will be 
able to receive the multicast data, which means, it 

30 is impossible to prevent the unauthorized hosts 
from receiving the multicast data. If a key method 
is adopted to solve the problem, distribution of keys 
before authentication for each hostwill bring numer- 
ous limitations and troubles. 
35 (2) If both these two protocols are adopted. It is nec- 
essary not only to renew the multicast router equip- 
ment, but also to modify IGMP software In the host 
side. Furthermore, none of these two protocols is 
standardized; the present hosts don't support the 
40 IGMP extension. 

[0013] Defects of the CGMP means of CISCO Inc can 
be noticed as follows. 

45 (1) No relation between fonwarding control on the 
Iayer2 switch controlled by the multicast router and 
authorized reception of the host/user is provided, 
and no authenticating and authorizing method for 
the user to join In the multicast group Is provided 
50 either, all the control methods provided are a control 
method for the multicast message of the layer 2 
switch flooding at Its port. 

(2) The multicast router cannot detect "Silent 
Leave" of the host /user. 

55 

Summary of the Invention 

[0014] It is an object to provide a controlled multicast 
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system, in order to provide application environment for 
a controlled multicast method of the invention. 
[0015] It is another object to provide the method for 
implementing controlled multicast, in order to solve mul- 
ticast disadvantages of the prior arts, which include syn- 5 
ergic method between the IGiVlP extension and the RA- 
DIUS extension, and the CGiVlP of CISCO inc; at the 
same time, the method can preferably solve problems 
of authorization authentication and controlled join of the 
sender and receiver which participate in the multicast. 'o 
[0016] A controlled multicast system, including an 
Ethernet switch and a multicast router, wherein, the Eth- 
ernet switch connects with each host of a user in a down- 
link, connects with the multicast router in a uplink, the 
multicast router connects with a multicast router of other is 
systems in the uplink, the Ethernet switch implementing 
multicast exchange of a layer 2, an IGMP V2 protocol is 
adopted as group management protocol between the 
Ethernet switch and the host of the user; the controlled 
multicast system further comprises: a portal server and 20 
an AAA server that connect with the multicast router; the 
portal server acting as an interface of user access au- 
thentication, the AAA server being used for storing con- 
figuration of privilege for the user to join in a multicast 
group; the multicast router cooperating with the AAA 25 
server togetherto implement privilege authentication for 
the user to join in the multicast group, and distributing 
control commands according to results of the authenti- 
cation to control multicast forwarding operations of the 
Ethernet switch. so 
[0017] A RADIUS+ protocol extended from an AAA 
protocol is adopted as communication protocol between 
the multicast router and the AAA server; a group man- 
agement protocol HGMP (Huawei Group Management 
Protocol) is used as a control protocol between the Eth- 35 
ernet switch and the multicast router. 
[0018] A method for implementing a controlled multi- 
cast, comprises: implementing access authentication 
first; then an Ethernet switch classifying a vlan accord- 
ing to a port and handling an IGMP message from a 40 
host, implementing user identification, authentication for 
joining in a multicast group, and a multicast router han- 
dling the IGMP message; in succession, the multicast 
router controlling the Ethernet switch for multicast for- 
warding, between which a HGMP protocol is used as a 45 
control protocol of the controlled multicast; afterthat, the 
Ethernet switch disposing a HGMP control message 
and forwarding a multicast flow; the host leaving the 
multicast group and making corresponding processes 
after finishing the forwarding operation. so 

wherein the step of implementing access authen- 
tication comprises, 

(1 ) when accessing a network, the host Inputting an 
authentication information that includes a User ID ss 
and a password first through an interface provided 
by a portal server, and a AAA server authenticating 
identification of the host with the infonnation; once 



the authentication is successful, the multicast router 
recording the User ID and a corresponding vlan ID 
of the host in a multicast access privilege table of 
the user; 

the step of the Ethernet switch classifying the 
vlan according to the port and handling the IGlVIP 
message from the host comprises, 

(2) classifying the vlan according to the ports, with 
one vlan for each port, and linking one port to one 
host; searching a Content-Addressabie Memory 
(CAM) table with a destination MAC address of the 
IGMP message sent by the host and forwarding the 
said IGMP message, of which fonwarding process 
is same with that of a unicast message: If the port 
corresponding to the destination MAC address is 
found, forwarding the multicast message to the port, 
otherwise forwarding the multicast message to all 
the ports; 

the step of implementing user identification, 
authentication for joining in the multicast group, and 
handling the IGMP message by the multicast router 
comprises, 

(3) after receiving an IGMP Membership Report 
message, according to the vlan ID in the message, 
the multicast router finding the corresponding User 
ID and the hostto which the IGMP Membership Re- 
port message belongs through searching in the 
multicast access privilegetable of the user recorded 
in step (1), and then sending an extended RADIUS 
authentication message which includes the User ID 
Just found as the user name and the address of mul- 
ticast group in which the host wants to join as an 
attribute, to the AAA server for authentication; 

the AAA server determining whetherto accept 
the user based on services of the user; if the user 
has the suitable pnvllege, responding with an ac- 
ceptance message, otherwise returning a reject 
message; after receiving the reject message, the 
multicast router do nothing, but if receiving the ac- 
ceptance message, the multicast router writing the 
address of the multicast group in which the user can 
join into the multicast access privilege table of the 
user, and implementing a routine disposal on join 
messages of the host, then generating and trans- 
mitting a HGMP Join message to the Ethernet 
switch, which comprises the vlan ID corresponding 
to the port that links with the host which wants to 
join in the multicast group, the address of the mul- 
ticast group that Is applied for, and a Join command 
field; moreover, the multicast router also completing 
a routine processing of creating multicast fonward- 
ing tree on the IGMP Membership Report message 
just like an ordinary multicast router does; 

the step of the multicast router controlling the 
Ethernet switch making the multicast forwarding 
with the HGMP protocol being control protocol of 
the controlled multicast comprises, 

(4) managing generation and deletion of an entry in 
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the CAM table at the Ethernet switch by the multi- 
cast router; while allowing the host to join in the mul- 
ticast group, the multicast router sending the HGMP 
Join message that includes the vlan ID of the host 
which applies to join In the multicast group and the 
address of the multicast group applied forto the Eth- 
ernet switch; when the multicast router wants to ter- 
minate the host joining in the multicast group, the 
multicast router transmitting a HGMP Leave mes- 
sage which comprises the vlan ID of the host which 
leaves the multicast group and the address of the 
multicast group where the host leaves; 

the step of the Ethernet switch disposing the 
HGMP control message comprises, 

(5) after receiving the HGMP Join message, the 
Ethernet switch searching the GAM table with the 
MAC address corresponding to the address of the 
multicast group; if the entry corresponding with the 
address Is found, the Ethernet switch obtaining the 
port number of the host via the vlan ID in the HGMP 
Join message, and then adding the port number into 
the said entry; If nothing is found, adding an entry 
In the CAM table, which comprises the MAC ad- 
dress corresponding to the multicast address, the 
port number of the host which applies to join In the 
multicast group, and the port number of the multi- 
cast router connected with the Ethernet switch; 

after receiving the HGMP Leave message, 
the Ethernet switch obtaining the entry through 
looking up the CAM table with the MAC address cor- 
responding to the multicast address of the muitlcast 
group, and getting the port number of the host 
through the vlan ID, and then deieting the said port 
number from the said entry, if the said port number 
is the solely port of the said entry, deleting the whole 
entry; 

the step of forwarding of the multicast flow 
comprises, 

(6) when receiving the multicast flow sent from the 
multicast source, the multicast routerforwarding the 
multicast flow to an egress based on a CAM table; 
when handling the IGMP Membership Report mes- 
sage of the host, the multicast router creating a mul- 
ticast forwarding egress according to the real port 
of the Ethernet switch, and sending only one copy 
of the muitlcast flow to the Ethernet switch; 

the step of the host leaving the multicast 
group comprises, 

(7) afterflnlshing the multicast and wanting to leave 
the multicast group , the host sending an IGMP 
Leave message; after receiving the IGMP Leave 
message, the muitlcast router extracting the vian ID 
from the message, and obtaining corresponding en- 
try via searching in the multicast access privilege 
table created In step (1) with the vian ID, then de- 
leting the address of the multicast group indicated 
by the I GM P Leave message in the entry; after com- 
pleting a routine disposal on leave messages, the 



multicast router generating the HGMP Leave mes- 
sage and sending to the Ethernet switch, which in- 
cludes the vlan ID of the host which wants to leave 
group, the address of multicast group where the 
s host wants to leave and a Leave command field. 

wherein the CAM table and the unlcast forwarding 
tabie of the Ethernet switch are shared. 

wherein, during the messages fonwarding, adopt- 
10 ing a vlan protocol between the port of the multicast rout- 
er and the Ethernet switch. 

in step (6) there is no vlan ID in a multicast data 
packet of the multicast flow sent from the multicast rout- 
er. 

15 in step (7) of leaving from the multicast group can 

also be implemented via following means which com- 
prises, once the multicast router knows offline status of 
the user, the multicast router actively sending the HGM P 
Leave message to terminate multicast flowtransmission 

20 to the host, which is same with that of processing on the 
IGMP Leave message, 

[0019] The method further comprises controlling the 
multicast sender, which includes when the host trans- 
mits data to the multicast group, the first receiver among 

25 the multicast routers filtering the data message with a 
multicast Access Control List (ACL), and forwarding the 
data message that satisfies the requirements in the ACL 
to the multicast tree, 

wherein the multicast ACL comprises a command 

30 word, a source address and a group address, 

wherein the muiticast ACL is distributed to each 
multicast router by a centralized multicast service con- 
trol server; the step of controlling the sender is accom- 
plished with the multicast ACL by the muitlcast router, 

35 meanwhile the multicast service control server is also 
acts as the AAA server. 

wherein the multicast ACL can also be distributed 
by a centralized policy server or a network manager. 
[0020] The main advantages of the present invention 

40 are as following. The method provides an effective tech- 
nical means for authenticated authorization when the 
user join in the multicast group, in order to ensure that 
only the authorized user can join In the multicast group; 
through one-to-one relationship among the port, the us- 

45 er and the vlan ID, together with access authentication 
for the user, the user who joins in or leaves the multicast 
group can be easily identified. The multicast router can 
make the active and decisive control on the multicast 
forwarding function of the layer 2 switch, and distribute 

50 its control policy to the Ethernet switch, which can pref- 
erably solve the controlled problems In the IP multicast 
service. Secondly, when the host leaves the multicast 
group without sending the IGMP Leave message, for In- 
stance, when multicast application program terminates 

55 abnormally, the group membership can be actively ter- 
minated through offline of the user. What is more, there 
is no influence on forwarding efficiency after introduction 
of the control means according to the present invention. 
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The method in the present invention has a splendid ap- 
plication future. 

Brief Description of the Drawings 
[0021] 

Fig.1 is a schematic diagram of the CGIVI P message 
format in the prior art. 

Fig. 2 is a schematic diagram illustrating flow direc- 
tion of the signal that host 1 first joins in muiticast 
group 224.1 .2.3 in process of the CGMP in the prior 
art. 

Fig.3 is a schennatic diagram illustrating flow direc- 
tion of the signal that host 4 second joins in multicast 
group 224.1 .2.3 in process of the CGMP in the prior 

art, 

Fig. 4 is a schematic diagram illustrating the system 
structure of the controlled multicast system accord- 
ing to the present invention. 
Fig. 5 is a schematic diagram illustrating flow direc- 
tion of the signal while making access authentica- 
tion for host 1 in the controlled multicast according 
to the present invention. 

Fig. 6 is a schematic diagram illustrating flow direc- 
tion of the signal that host 1 first joins in multicast 
group 224.1 .2.3 in the controlled multicast accord- 
ing to the present invention. 
Fig. 7 is a schematic diagram illustrating flow direc- 
tion of the signal that host 4 second Joins in multicast 
group 224,1 .2.3 in the controlled multicast accord- 
ing to the present invention. 
Fig. 8 is a schematic diagram illustrating flow direc- 
tion of the signal with which the multicast router for- 
wards the muiticast flow in the controiied multicast 
according to the present invention. 
Fig. 9 Is a schematic diagram illustrating flow direc- 
tion of the signal that indicates host 1 leaves multi- 
cast group 224.1 .2.3 in the controlled multicast ac- 
cording to the present invention. 
Fig.1 0 is a schematic diagram illustrating the cen- 
tralized control scheme in the controlled multicast 
system according to the present invention. 

Embodiments of the Invention 

[0022] The present invention will be described in more 
detail hereinafter with reference to the accompanying 
drawings. 

[0023] Now refer to Fig.4. The invention provides the 

controlled muiticast system that includes Ethernet 
switch 1 and multicast router 2, wherein Ethernet switch 
1 connects with each hosts of the user in the downiinl^, 
and in the uplink with multicast router 2 which further 
connects with multicast router 5 of other systems; the 
IGIVIP V2 (version 2) protocol is used as group manage- 
ment protocol between the host and the Ethernet switch 
who implements multicast exchange of layer 2. The con- 



trolled multicast system further comprises: portal server 
3 and AAA server 4 that connect with multicast router 2, 
wherein, portal server 3 is used as the interface of ac- 
cess authentication for the users, AAA server 4 is used 

s for storing Privilege configuration of the users who want 
to join in the muiticast group, a Client-server structure 
is adopted between AAA server 4 and multicast router 
2, and the multicast router 2, together with AAA server 
4, makes authentication for the privilege of users who 

'0 want to join in the multicast group, and distributes con- 
trol orders according to results of the authentication; in 
order to control forwarding operation of the multicast 
made by Ethernet switch 1 . In the invention, the RADI- 
US+ protocol that is extended from the standard RADI- 

15 US protocol is adopted as communication protocol be- 
tween multicast router 2 and AAA server 4, meanwhile, 
the group management protocol HGMP is used as con- 
trol protocol between Ethernet switch 1 and multicast 
router 2. 

20 [0024] The implementing method and operational 
steps of the complete process for the host joining in the 
multicast group according to the present invention will 
be described in more detail hereinafter with reference 
to the accompanying drawings from Fig. 5 to Fig.1 0 and 

25 an embodiment. 

[0025] As shown in Fig.5, when a certain host (sup- 
posing host 1 ) wants to access the network, first the host 
must make authentication through the interface provid- 
ed by the portal server; the AAA server is an authenti- 

30 cation server. The User ID in the pane at right side of 
the AAA server in the drawing represents the user name 
input by the user while making authentication, and group 
represents address of the multicast group in which the 
user wants to join. The Ethernet switch (LAN Switch) 

35 classifies the vlan according to the ports, each of which 
connects with one user. Wherein port 1 links the multi- 
cast router, and the ports from 2 to 5 connect each host 
from 1 to 4 respectively. Once the authentication is suc- 
cessful, the multicast router will record the User ID of 

40 host 1 (i.e. host 1) and the corresponding vlan number 
(i.e. vlan 1) of host 1 (here, assume the user name in a 
user account of host 1 is host 1 ). 
[0026] As shown in Fig. 6, when host 1 wants to join 
in the multicast group (assuming the group 224.1 .2.3), 

45 the host may send the IGMP IVIembership Report mes- 
sage to join in multicast group 224.1 .2.3; the Switching 
Engine searches in the CAM table with the destination 
MAC address 0100.5e01.0203 in the message; be- 
cause there Is no matching ternis in the CAM table, the 

50 message is forwarded (flooding) to all the ports, includ- 
ing the CPU and the multicast router; wherein, accord- 
ing to receiving ports, the message that is forwarded to 
the multicast router will be attached with the vlan 
number (in case of host 1 , it is vlani). 

55 [0027] After receiving the IGMP Membership Report 
message, the multicast router extracts the vlan ID (vlan 
1) from the message, with which obtaining the User ID 
(host 1) corresponding to the user; the multicast router 
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appoints the found User ID as the user name, making 
the address (224.1 .2.3) of multicast group in which the 
host wants to join as its attribute, sending the extended 
RADIUS authentication message to the AAA server for 
authentication; the AAA server determines whether to 
accept the user according to the service that he applied 
for. If the user has a certain privilege, the multicast router 
may response with the acceptance message, otherwise 
send the reject message as response. In case of receiv- 
ing the reject message, the multicast router will do noth- 
ing; once the received message is the acceptance mes- 
sage, the multicast router will record the address of the 
multicast group where the user can join into the multi- 
cast access privilege table of the user, and make the 
routine process of the multicast router on the message, 
then generate and transmit the HGMP Join message to 
the switch, which comprises the vlan number (vlan 1 ) of 
the host which applies to join in the multicast group, the 
address (224.1 .2.3) of the multicast group in which the 
host applies to join, and the Join command field. 
[0028] After receiving the HGMP Join message, the 
switch will add an entry in the GAM table, which com- 
prises the MAC address (0100.5e01 .0203) that is cor- 
responding to the multicast address (224.1.2.3), port 
number (2) of the host which applies to join in the mul- 
ticast group and port number (1 ) of the multicast router 
that connects with the switch. Wherein, the port number 
of the host is obtained through searching in a table with 
the vlan ID. 

[0029] Now refer to Fig. 7. When other new host (as- 
sume the fourth host 4) joins multicast group 224.1 .2.3 
(assume the host has already passed the access au- 
thenlicalion in Ihe same way with thai of host 1 In the 
first step), and also sends the IGMP Membership Report 
message to the switch, the Switching Engine finds the 
entry via searching in the CAM table with the destination 
MAC address 0100.5e01 .0203, and then sends the 
message to port 1 and 2(i.e. the multicast router and 
host 1 ) listed in the entry. 

[0030] After receiving the IGMP Membership Report 

message, the multicast router extracts the vlan ID (vlan 
4) from the message, with which the multicast router 
finds the User ID (host 4) corresponding to the user 
through searching in the multicast access privilege ta- 
ble, and then appointing the User ID as the user name, 
the address (224.1 .2.3) of the multicast group where the 
host wants to join as its attribute, finally transmits the 
extended RADIUS authentication message to the AAA 
server for authentication; the AAA server will determine 
whether to accept the user according to the service he 
applied for. If the user has a certain privilege, the multi- 
cast router may response with the acceptance mes- 
sage, otherwise send the reject message as response. 
In case of receiving the reject message, the multicast 
router will do nothing; once the received message is the 
acceptance message, the multicast router will write the 
address of the multicast group in which the user can join 
into the multicast access privilege table of the user, and 
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make routine process of the multicast router on the join 
message of the host, then generate and transmit the 
HGMP Join message to the switch, which Includes the 
vlan number (vlan 4) of the host which applies to join in 
s the multicast group, the address (224.1 .2.3) of the mul- 
ticast group in which the host applies to join, and the 
Join command field. 

[0031] After receiving the HGMP Join message, the 
switch will search in the CAM table with the MAC ad- 

10 dress (0100.5e01 .0203) that corresponding to the ad- 
dress (224.1 .2.3) of the multicast group; because there 
exits the entry in the CAM table after host 1 have joined 
the group 224.1 .2.3 in the above step as shown in Fig. 
6, the same entry that is identical with the result of last 

15 search will be obtained; the port number of the host (5) 
will be added in the entry after the port number 5 is ob- 
tained through searching in the CAM table with the vlan 
ID. 

[0032] As shown In Fig.8, when the multicast router 
20 receives the multicast flow sent from the multicast 
source, the mu Iticast flow will be forwarded to the egress 
according to the CAM table. Because the multicast rout- 
er creates the multicast forwarding egress based on the 
real ports of theswitch ratherthan the vlan number when 
25 handling the IGMP Membership Report message of the 
host, the switch connected with the multicast router has 
only one egress in the CAM table, and only one copy of 
the multicast flow is transmitted to the switch, without 
the vlan ID In the multicast data packet. 
30 [0033] As shown in Fig, 9, once wanting to leave mul- 
ticast group 224.1 .2.3, hosti may send the IGMP Leave 
message to the switch; in the Fig. 9, what corresponds 
to the IGMP Leave message sent by host 1 is the arrow 
drawn from host 1 , and the Switching Engine searches 
35 in the CAM table with destination MAC address 
0100.5e01.0203; after finding the entry, the Switching 
Engine will transmit the message to the ports listed in 
the entry: 1 and 5 (i.e. the multicast router and host 4). 
[0034] After receiving the IGMP Leave message of 
40 the member, the multicast router extracts the vlan ID 
(vlan 1)from the message, and obtains the correspond- 
ing entry through searching in the multicast access priv- 
ilege table with the vlan ID, then delets multicast ad- 
dress 224.1.2.3 indicated by the IGMP Leave message 
45 in the entry as shown in Fig. 9; i.e. after deleting address 
224.1.2.3 in the multicast group column (group) in the 
pane at right side of the multicast router, where the user 
who corresponds to vlan 1 has right to join in, the mul- 
ticast router completes the routine disposals on the 
50 leave message of the member; then generates and 
sends the HGMP Leave message to the switch; in the 
Fig. 9, what corresponds to the HGMP Leave message 
is the downwards arrow drawn from the multicast router, 
the message comprises the vlan number of the host 
S5 (vlan 1) which wants to leave the multicast group and 
the multicast address (224.1 .2,3) that will be departed 
as well as the Leave command field. 
[0035] After receiving the HGMP Leave message, the 
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switch may obtain the entry through searching in the 
CAIVI tabie with IVIAC address 01 OO.SeOI .0203 that cor- 
responds to multicast address 224.1.2.3, and get port 
number 2 of the host which sends the IGIVIP Leave mes- 
sage through searching with the vlan ID, and delete the s 
port number 2 from the entry. 

[0036] Tine steps above describe the detailed control 
processes on the multicast members of the controlled 
multicast method according to the present invention, 
moreover the above method also comprises relevant io 
control on the multicast sender as shown in Fig. 10. 
When the host (which is message resources (IDC) in 
Fig. 10) transmits data to a certain multicast group, the 
multicast router which receives the data in first place will 
download the multicast ACL (Access Control List, ACL is 
for short) first via the multicast service control server, 
and filter the data message with the multicast ACL, only 
the messages that satisfy the requirements can be for- 
warded to the Multicast Tree. Wherein, the multicast 
ACL is composed of the command word, the source ad- 20 
dress and the group address which is a destination ad- 
dress either. In order to avoid disadvantages caused by 
the discrete configuration, the centralized multicast 
service control server is usually adopted to distribute the 
multicast ACL to each multicast router which further 25 
controls the functions of senders; at same time, the mul- 
ticast service control server also acts as the AAA server, 
of course, the multicast ACL can also be distributed by 
the centralized policy server or the networl< manager 
[0037] The above system and method for implement- so 
Ing controlled multicast have been experimented in sev- 
eral apparatus designed by the applicant, the results are 
very successful, and Ihe deslination of control over the 
multicast Is realized according to the present invention. 



Claims 

1 . Acontrolled multicast system, including an Ethernet 
switch and a multicast router, where the Ethernet 40 
switch connects with each host of a user in a down- 
link, connects with the multicast router in a uplinl<, 
the multicast router connects with a multicast router 
of other systems in the uplinl<, the Ethernet switch 
implementing multicast exchange of a layer 2, an 45 
IGIVI P V2 protocol is adopted as group management 
protocol between the Ethernet switch and the host 
of the user; wherein the controlled multicast system 
further comprises: a portal server and an AAA serv- 
er that connect with the multicast router; the portal so 
server acti ng as an 1 nterface of user access authen- 
tication, the AAA server being used for storing con- 
figuration of privilege for the user to join In a multi- 
cast group; the multicast routercooperating with the 
AAA server together to Implement privilege authen- 55 
tication for the user to join in the multicast group, 
and distributing control commands according to re- 
sults of the authentication to control multicast for- 



warding operations of the Ethernet switch. 

2. The controlled multicast system according to claim 
1 , a FiADIUS+ protocol extended from an AAA pro- 
tocol is adopted as communication protocol be- 
tween the multicast router and the AAA server; a 
group management protocol HGIVIP (Huawel Group 
Management Protocol) is used as a control protocol 
between the Ethernet switch and the multicast rout- 
er. 

3. A method for implementing a controlled multicast, 
comprises: implementing access authentication 
first; then an Ethernet switch classifying a vlan ac- 
cording to a port and handling an IGMP message 
from a host, implementing user identification, au- 
thentication for joining in a multicast group, and a 
multicast router handling the IGMP message; in 
succession, the multicast router controlling the Eth- 
ernet switch for multicast forwarding, between 
which a HGM P protocol is used as a control protocol 
of the controlled multicast; after that, the Ethernet 
switch disposing a HGM P control message and for- 
warding a multicast flow; the host leaving the mul- 
ticast group and making corresponding processes 
after finishing the forwarding operation. 

4. The method according to claim 3, wherein the step 
of implementing access authentication comprises, 

(1) when accessing a network, the host input- 
ting an authentication information that includes 
a User ID and a password first through an in- 
terface provided by a portal server, and a AAA 
server authenticating identification of the host 
with the information; once the authentication is 
successful, the multicast router recording the 
User ID and a corresponding vlan ID of the host 
in a multicast access privilege table of the user; 

the step of the Ethernet switch classifying 
the vlan according to the port and handling the 
IGMP message from the host comprises, 

(2) classifying the vlan according to the ports, 
with one vlan for each port, and linking one port 
to one host: searching a Content-Addressable 
Memory (CAM) table with a destination MAC 
address of the IGMP message sent by the host 
and forwarding the said IGMP message, of 
which forwarding process is same with that of 
a unicast message: if the port corresponding to 
the destination MAC address is found, forward- 
ing the multicast message to the port, othenwise 
forwarding the multicast message to all the 
ports; 

the step of implementing user Identifica- 
tion, authentication for joining in the multicast 
group, and handling the IGMP message by the 
multicast router comprises. 
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(3) after receiving an IGiVIP Membership Report 
message, according to the vlan iD in the mes- 
sage, the multicast router finding the corre- 
sponding User ID and the host to which the 
iGiVIP IVIembership Report message belongs s 
through searching in the multicast access priv- 
ilege table of the user recorded in step (1), and 
then sending an extended RADIUS authentica- 
tion message which includes the User ID just 
found as the user name and the address of mul- *o 
ticast group in which the host wants to join as 

an attribute, to the AAA server for authentica- 
tion; 

the AAA server determining whether to 
accept the user based on services of the user; is 
If the user has the suitable privilege, respond- 
ing with an acceptance message, otherwise re- 
turning a reject message; after receiving the re- 
ject message, the multicast router do nothing, 
but If receiving the acceptance message, the 20 
multicast router writing the address of the mul- 
ticast group In which the user can join into the 
multicast access privilege table of the user, and 
Implementing a routine disposal on join mes- 
sages of the host, then generating and trans- 25 
mitting a HGMP Join message to the Ethernet 
switch, which comprises the vlan ID corre- 
sponding to the port that links with the host 
which wants to join in the multicast group, the 
address of the multicast group that is applied 30 
for, and a Join command field; moreover, the 
multicast router also completing a routine 
processing of creating muilicasl forwarding tree 
on the IGMP Membership Report message just 
lli<e an ordinary multicast router does; 35 

the step of the multicast router controlling 
the Ethernet switch making the multicast for- 
warding with the HGMP protocol being control 
protocol of the controlled multicast comprises, 

(4) managing generation and deletion of an en- 40 
try in the CAM table at the Ethernet switch by 
the multicast router; while allowing the host to 
join in the multicast group, the multicast router 
sending the HGMP Join message that includes 

the vlan ID of the host which applies to join In 45 
the multicast group and the address of the mul- 
ticast group applied for to the Ethernet switch; 
when the multicast router wants to terminate 
the host joining In the multicast group, the mul- 
ticast router transmitting a HGMP Leave mes- so 
sage which comprises the vlan ID of the host 
which leaves the multicast group and the ad- 
dress of the multicast group where the host 
leaves; 

the step of the Ethernet switch disposing 55 
the HGMP control message comprises, 

(5) after receiving the HGMP Join message, the 
Ethernet switch searching the GAM table with 



16 

the MAC address corresponding to the address 
of the multicast group; if the entry correspond- 
ing with the address Is found, the Ethernet 
switch obtaining the port number of the host via 
searching in the CAM table with the vlan ID in 
the HGMP Join message, and then adding the 
port number into the said entry; If nothing is 
found, adding an entry in the CAM table, which 
comprises the MAC address corresponding to 
the multicast address, the port number of the 
host which applies to join In the multicast group, 
and the port number of the multicast router con- 
nected with the Ethernet switch; 

after receiving the HGMP Leave mes- 
sage, the Ethernet switch obtaining the entry 
through looking up the CAM table with the MAC 
address corresponding to the multicast ad- 
dress of the multicast group, and getting the 
port number of the host through searching with 
the vlan ID, and then deleting the said port 
number from the said entry, if the said port 
number Is the solely port of the said entry, de- 
leting the whole entry; 

the step of forwarding of the multicast 
flow comprises, 

(6) when receiving the multicast flow sent from 
the multicast source, the multicast router for- 
warding the multicast flow to an egress based 
on a CAM table; when handling the IGMP Mem- 
bership Report message of the host, the multi- 
cast router creating a multicast forwarding 
egress according to the real port of the Ethernet 
switch, and sending only one copy of the mul- 
ticast flow to the Ethernet switch; 

the step of the host leaving the multicast 
group comprises, 

(7) after finishing the multicast and wanting to 
leave the multicast group , the host sending an 
IGMP Leave message; after receiving the 
IGMP Leave message, the multicast router ex- 
tracting the vlan ID from the message, and ob- 
taining corresponding entry via searching in the 
multicast access privilege table created In step 
(1) with the vlan ID, then deleting the address 
of the multicast group Indicated by the IGMP 
Leave message in the entry; after completing a 
routine disposal on leave messages; the multi- 
cast router generating the HGMP Leave mes- 
sage and sending to the Ethernet switch, which 
Includes the vlan ID of the host which wants to 
leave group, the address of multicast group 
where the host wants to leave and a Leave 
command field. 

5. The method according to claim 3, wherein the CAM 
table and the unicast forwarding table of the Ether- 
net switch are shared. 



EP 1 480 405 A1 



9 



3/3/2010, EAST Version: 2.4.1.1 



17 



EP 1 480 405 A1 



6. The method according to claim 3, wherein, during 
the messages forwarding, adopting avian protocol 
between the port of the multicast router and the Eth- 
ernet switch. 

5 

7. The method according to claim 3, in step (6) there 
is no vlan iD in a multicast data packet of the mul- 
ticast flow sent from the multicast router. 

8. Themethodaccordingtoclaim3, instep(7)of leav- io 
ing from the multicast group can also be implement- 
ed via following means which comprises, once the 
multicast router knows offline status of the user, the 
multicast router actively sending the HGMP Leave 
message to temiinate multicast flow transmission is 
to the host, which is same with that of processing 

on the IGMP Leave message. 

9. The method according to claim 3, further comprises 
controlling the multicast sender, which includes 20 
when the host transmits data to the multicast group, 

the first receiver among the multicast routers filter- 
ing the data message with a multicast Access Con- 
trol List (ACL), and forwarding the data message 
that satisfies the requirements In the ACL to the 25 
multicast tree. 

10. The method according to claim 9, wherein the mul- 
ticast ACL comprises a command word, a source 
address and a group address. so 

1 1 . The method according to claim 9, wherein the mul- 
ticast ACL is dislribuled lo each mullicast router by 
a centralized muiticast service control server; the 
step of controlling the sender is accomplished with 35 
the multicast ACL by the multicast router, mean- 
while the multicast service control server Is also 
acts as the AAA server. 

12. The method according to claim 9 or claim 11, where- 40 
in the multicast ACL can also be distributed by a 
centralized policy server or a networl< manager. 
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